Beruflich Dokumente
Kultur Dokumente
March 2013
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
Introduction ....................................................................................... 1
Terminology....................................................................................... 2
Responsibility-based Security ............................................................ 2
Functions in Responsibility-based Security .................................... 2
Menus ........................................................................................... 3
Responsibilities ............................................................................. 4
Exclusions from Responsibilities .................................................... 5
Role-Based Access Control (RBAC) .................................................. 6
Functions and Permissions in RBAC ............................................. 6
Permission Set .............................................................................. 7
Roles ............................................................................................. 8
Grants ......................................................................................... 14
Roles and Responsibilities ........................................................... 15
Using RBAC to Provide Different Authorization for Different Users .. 16
Role Hierarchy and Role Inheritance ........................................... 16
Using Role Hierarchies to Simplify User Administration ............... 18
Best Practices for Using RBAC with Function Security .................... 20
Best Practice: Optimize granularity of roles ................................. 20
Best Practice: Separate navigation from authorization ................. 21
Best Practice: Use appropriate pages or forms for setup ............. 21
Best Practice: Avoid modification of shipped objects ................... 21
Best Practice: Use delegated administration................................ 22
Conclusion ...................................................................................... 22
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
Introduction
There are two main ways to implement security in Oracle E-Business Suite: traditional Oracle
E-Business Suite responsibility-based security (usually referred to as function security) and
Role-Based Access Control (RBAC). Since they overlap in functionality, and RBAC
incorporates and builds upon responsibility-based security, there is often confusion about how
the two security models coexist and interact. This paper discusses the main similarities and
differences between the two types of security setups, as well as the objects involved.
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
Terminology
Page, Form, Screen, Window
In Oracle E-Business Suite, we often use these terms interchangeably, but in some cases we use the
word page to refer to an HTML-based or JSP-based application page, form to refer to an Oracle
Forms-based form, and screen or window to refer to either.
Navigation
For the purposes of this paper, navigation is the ability to move to a page or form in an application by
selecting a menu option from the Oracle E-Business Suite Home page or the Navigator, a Favorites
link, a tab or sub-tab on a dashboard, and so on.
Authorization
Authorization means users have the application privileges that allow them to use the functionality of a
page or form. If users cannot navigate to a screen at all, they are implicitly not authorized to use that
functionality. If users can navigate to the screen, they may or may not be authorized to use the
functionality on that screen.
Grant
Responsibility-based Security
Responsibility-based security is usually referred to as function security. We will start with the basic
concepts in function security. Later in the paper we will discuss how those concepts differ and are
included under RBAC.
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
Function A
Permission A
Before RBAC was introduced in Oracle E-Business Suite, the concepts of navigation and authorization
were not explicitly separated, and function security did not include the term permission (or
authorization) as a separate concept. Instead, function security included two types of functions:
Non-executable functions (also called abstract functions and originally called subfunctions).
An executable function can be invoked from a generic navigator user interface (the general case of the
Home page or Navigator). Executable functions include navigation; that is, you can navigate to a page,
JSP, form, and so on. An executable function definition must contain all information necessary to
launch the function; often this includes the form name or a URL plus parameters.
A non-executable function represents a securable subset of a page or form's functionality. These
abstract functions provide a mechanism for controlling both the navigation access and authorization to
part of a page or form. Typically an abstract or non-executable function is defined as just a name in
the system, and then the function is assigned to a menu or permission set. The code that implements
an abstract function then calls the function security system to test whether the abstract function is on
the menu (granted). The system only allows the action if the function is granted.
Non-executable functions are not accessed through navigation controls such as a menu option, though
you may see visible effects such as hiding or showing a button that gives you direct access to another
screen. For example, you might be able to navigate to an Orders page (executable function), but you
may not see the Update button or be able to update the order within that page (non-executable
function).
Menus
A menu is a group of functions that are arranged in a hierarchical structure with submenus, prompts,
and so on. In early versions of Oracle E-Business Suite, before RBAC was introduced, menus attached
to responsibilities provided users with a two different things: a navigation path with prompts to get to
a particular piece of functionality, such as a form or page, and the authorization (or permission) to use
that piece of functionality. These two parts, navigation and authorization, were not separated. If a page
was on your menu, then you could navigate to the page, and you automatically had the authorization to
use the page.
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
Menu
(Navigation)
Function
A
Grant
(Authorization)
Function
B
Function
C
Function
D
With the introduction of RBAC, that dual purpose of a menu has been explicitly split into its two parts.
Now when you create a menu, you first add functions to the menu with a prompt (the navigation part),
and you must then decide whether to check the Grant check box (the authorization part) for each
function on the menu.
If you are using traditional Oracle E-Business Suite responsibility-based security, you check the
check box for each function to explicitly grant the authorization to the function using the Menu form
(or the corresponding Menu page in the Function Administrator responsibility).
Historical note: When RBAC was introduced in Oracle E-Business Suite Release 11.5.10, all
existing function security menus were automatically upgraded to have the Grant check box
checked for backwards compatibility.
Responsibilities
A responsibility is a level of authority in Oracle E-Business Suite. It enables your access to those
functions and data appropriate for your enterprise role. Each user has one or more responsibilities,
and multiple users can share the same responsibility. A responsibility also provides a context in which a
user operates. This context can include profile option values, available concurrent programs, and so on.
One of the main purposes of a responsibility is to provide access to a menu of functions. For the
simplest case of responsibility-based security, a menu is attached to a responsibility, and then a
responsibility is assigned to a user. At that point, the user has access to all of the functions attached to
the menu through the responsibility. Note that if the Grant check box is not checked for a particular
function, the user cannot access that function.
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
Grant
(Authorization)
Function
A
Function
B
Function
C
Function
D
Figure 3. Responsibility including navigation menu with grant check box checked
For those applications where RBAC has not been implemented, setting up functions, menus with the
Grant check box checked, responsibilities, and users is sufficient to set up responsibility-based security
for the application.
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
Responsibility
User
User
Responsibility 1
Responsibility 2
Menu
(Navigation)
Function
A
Grant
(Authorization)
Function
B
Function
C
Function
D
Menu
(Navigation)
Function
A
Grant
(Authorization)
Function
B
Function
C
Function
D
Figure 4. Two responsibilities using the same navigation menu, where one function is excluded from the second
responsibility
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
Grant
Menu
(Navigation)
Grant
(Authorization)
Function
A
Function
B
Function
C
Function
D
Permission Set
(Authorization)
Permission
A
Permission
B
Permission
C
Permission
D
For backwards compatibility, existing function names can also be used as permissions. Abstract or
non-executable functions (subfunctions) are already simply names defined in the system, and they
already behave as permissions (authorization to use a specific piece of functionality). The names of
executable functions can also be used as permissions when added to a permission set and assigned
through a grant. For an executable function, any prompt and execution information (such as HTML
Call) is ignored when the function definition is used as a permission. Because of this backwards
compatibility, we often use the terms function and permission interchangeably in Oracle EBusiness Suite.
In the diagrams in this paper, we show functions as components of menus for navigation and
permissions as components of permission sets for authorization, but functions defined using the
Functions form or page can be used for either. Permissions defined using the Permissions page do not
contain execution information such as URLs, so they can only be used as non-executable functions
(subfunctions) or as permissions.
Permission Set
A permission set provides authorization to use a group of functions/permissions. A permission set is
similar to a menu, except that it does not provide navigation information such as submenus or
prompts. Generally a permission set is simply a named flat list of permissions/functions. Because a
menu is also a list of functions, it can also be used as a permission set. The navigation information
such as prompts and navigation hierarchy that the menu contains is ignored when the menu is used as
a permission set. The Grant check box is also ignored when a menu is used as a permission set.
A permission set defined using the Permission Set page cannot be used as a menu because it does not
contain navigation information. As with functions and permissions, Oracle User Management keeps
menus and permission sets separate in the Functional Administrator and Functional Developer
responsibilities, and you cannot query one in the page for the other. However, permission sets defined
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
in the Permission Sets page can be queried in the Menus form in the Application Developer
responsibility, where they appear with the Permission Set menu type.
Because of the Grant check box on the Menu form, a navigation menu with the Grant check box
unchecked for all functions, plus a separate permission set with the same functions, provides
equivalent behavior to a function security menu where Grant is checked for all functions.
Grant
Menu
(Navigation)
Grant
(Authorization)
Function
A
Function
B
Function
C
Function
D
Permission Set
or Menu
(Authorization)
Permission
A
Permission
B
Permission
C
Permission
D
Menu
(Navigation)
Function
A
Grant
(Authorization)
Function
B
Function
C
Function
D
In the picture above, the permission set is attached to a named grant to provide authorization to use
those functions.
Roles
In general, a role is a job function within the context of an organization or enterprise. An individual
can have one or more roles. For example, a person could be a Manager as well as an Employee in
a company. Within Oracle E-Business Suite, a role is also a particular object that provides users with
access to and authorization for specific functionality.
Both roles and responsibilities provide users with access to specific functionality, but they have some
important differences. First of all, a role treats the authorization component of access differently than
a responsibility does: authorization in a role can be included either as grants on the menu itself or as a
separate grant to a permission set. Navigation paths in both cases are provided through a menu
attached to a responsibility, which may in turn be assigned to a role. Secondly, users see and choose
from a list of responsibility names in the Home page after logging in, unless users only have a single
assigned responsibility. No role name appears in the end users view of the applications. Other
important differences between a role and a responsibility are hierarchy and inheritance.
Roles and Navigation
RBAC explicitly requires both a navigation component (responsibility with attached menu) and an
authorization component (permission set or grants in the menu) to provide access to application
functionality. To allow navigation to a function, you must have a responsibility, because the menu
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
attached to the responsibility is the only way to provide the navigation path. The responsibility can be
assigned either to a role or directly to the user.
For the very simplest RBAC setup, you can create a role and then assign an existing responsibility to
the role. The menu attached to the responsibility must already have the Grant check box checked for
all functions so the authorization component is available as part of the menu attached to the
responsibility.
User
Role
Responsibility
Menu
(Navigation)
Function
A
Grant
(Authorization)
Function
B
Function
C
Function
D
Another option is creating the menu without the Grant check box checked and adding it to a
responsibility, and then creating a permission set, creating a grant to the permission set, and then
assigning both the responsibility and the grant to the role. The role can then be assigned to a user.
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
Responsibility
Menu
(Navigation)
Grant
Grant
(Authorization)
Function
A
Function
B
Function
C
Function
D
Permission Set
(Authorization)
Permission
A
Permission
B
Permission
C
Permission
D
Note that to the end user, the result of the previous two setups would be the same. Similarly, as shown
in the following diagram, an end user would see the same behavior with either RBAC or responsibilitybased security. In this diagram, the navigation menu structure is the same, but authorization is granted
differently: either through a permission set or through the menu.
10
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
User
Role
Responsibility
Menu
(Navigation)
Grant Flag
(Authorization)
Function
A
Function
B
Function
C
Function
D
Function
A Tab
Grant
Function
B Tab
Function
C Tab
Permission Set
(Authorization)
Permission
A
Permission
B
Permission
C
Permission
D
Function
D Tab
Application Page A
Responsibility
Menu
(Navigation)
Grant Flag
(Authorization)
Function
A
Function
B
Function
C
Function
D
Function
A Tab
Function
B Tab
Function
C Tab
Function
D Tab
Application Page A
Note that you can have various combinations of authorization granted either through a permission set
or through the Grant check box on the menu, as shown in the following diagram:
11
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
User
Role
Role
Responsibility
Menu
(Navigation)
Grant
Grant
(Authorization)
Function
A
Function
B
Function
C
Function
D
Permission Set
(Authorization)
Permission
A
Permission
B
Permission
C
Permission
D
Responsibility
Menu
(Navigation)
Grant
Grant
(Authorization)
Function
A
Function
B
Permission Set
(Authorization)
Permission
A
Function
C
Function
D
Permission
C
Permission
D
For simplicity and ease of maintenance, we recommend that you do not mix checked and unchecked
Grant check boxes as shown in the picture above, however. If you are using permission sets separate
from navigation menus, have all the grants come from the permission set instead of having some
grants come from the Grant check box.
Simply adding a role layer between a user and a responsibility adds complexity without providing any
real benefit. RBAC becomes more useful when you create roles that have multiple responsibilities or
roles attached to them. You can then set up a users navigation and authorization for multiple
responsibilities by assigning the single role to the user, rather than assigning the responsibilities
separately. For example, creating and assigning a single role called Sales that contains a responsibility
for an employee plus a responsibility for someone doing sales reduces the effort of making sure each
salesperson gets the correct responsibilities.
12
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
Menu
(Navigation)
Function
A
Grant
(Authorization)
Function
B
Function
C
Function
D
Responsibility 2
Menu
(Navigation)
Function
E
Grant
(Authorization)
Function
F
Function
G
Function
H
Figure 11. Simplest useful RBAC setup: role containing multiple responsibilities
Here is the same setup showing an Employee responsibility with employee-specific functions and a
Sales responsibility with sales-specific functions. The two responsibilities are then combined to make
up a Sales role, which inherits the functions from both responsibilities.
13
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
Responsibility 1 (Employee)
Menu
(Navigation)
Grant
(Authorization)
Responsibility 2 (Sales)
Menu
(Navigation)
Grant
(Authorization)
Function A
(Check Payslip)
Function E
(Create Quote)
Function B
(Enter Timecard)
Function F
(Enter Customer)
Function C
(Update Address)
Function G
(Enter Order)
Function D
(Request Vacation)
Function H
(Request Approval)
Roles do not necessarily need to contain navigation information (a responsibility) at all. Roles may be
defined as simply as just a role name, where code somewhere in the application checks to see that the
user has the role assigned and then behaves accordingly. Similarly, a role might contain grants but not
have any assigned responsibilities. Typically roles without navigation components are used as part of
role hierarchies to fine-tune privileges given to users.
Grants
Grants in RBAC tie other objects together: grantees (usually roles that are then assigned to users),
permission sets, often for a particular context when the grant applies.
Grants must have at least a permission set assigned to them, and grants must be assigned to a grantee
(a role, a single user, or all users). Grants often also include optional data security objects.
Note: data security and data security objects are beyond the scope of this paper. For information
about data security, see Oracle E-Business Suite System Administrator's Guide Security, Release 12.1, Part
No. E12843-05.
14
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
Grants
Grantee (Role,
User, All Users)
Responsibility
Menu
(Navigation)
Grant
Grant
(Authorization)
Function
A
Function
B
Function
C
Function
D
Permission Set
(Authorization)
Permission
A
Permission
B
Permission
C
Permission
D
Data Security
Object
Figure 13. A grant includes assignments to a grantee, a permission set, and optionally a data security object
A grant can and must be assigned to exactly one grantee (role/user/all users). You cannot use the same
grant for more than one grantee (for example, you could not use the same named grant for both the
SYSADMIN user and the Administrator role). You can assign the grant to a role and then assign
that role to as many users as needed, however.
Grants in RBAC are usually named objects so they are easier to maintain. In RBAC, a grant can be
applied under certain context conditions (for a certain responsibility or operating unit, for example).
Any permission granted anywhere in the role structure affects the entire structure, unless a specific
context is specified to limit when the grant is applied. For responsibility-based security with the Grant
check box on a menu, the granted permission always applies regardless of user context.
15
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
Both roles and responsibilities can be arranged hierarchically, and the behavior for the end user is
similar. If you add a role under a responsibility, you must set up a grant for that role that specifies the
responsibility name in the security context for the grant to be sure that the effects of the grant only
appear while the user is in that responsibility.
Role 1 (Sales)
Responsibility (Sales)
Grant
(Authorization)
Menu
(Navigation)
Function
A
Function
B
Function
C
Function
D
Function
A Tab
Grant 1
(View)
Permission Set 1
(Authorization)
Permission A
(View Quote)
Permission B
(View Order)
Responsibility (Sales)
Function
A
Function
B
Function
C
Function
D
Function
B Tab
Application Page A
Grant
(Authorization)
Menu
(Navigation)
Function
A Tab
Grant 2
(View, Approve)
Permission Set 2
(Authorization)
Permission A
(View Quote)
Permission B
(View Order)
Permission C
(Approve Quote)
Permission D
(Approve Order)
Function
B Tab
Function
C Tab
Function
D Tab
Application Page A
Figure 14. Using different permission sets with the same responsibility
16
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
both to the sales role and the manager role, because every salesperson and every manager is also an
employee. The sales manager role has both the sales role and the manager role attached to it. The
sales manager role inherits the employee role from both the salesperson and the manager roles, so the
employee role does not need to be attached directly to the sales manager role.
User (Salesperson)
User (Manager)
Role 2 (Manager)
Role 1 inherited
by Role 4
Role 3 (Sales)
User (Employee)
Role 1 (Employee)
Figure 15. Roles higher in the role structure inherit roles lower in the structure
If you look at the role hierarchy in the Roles page user interface, the hierarchy looks like this:
17
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
This view of the hierarchy shows that the sales manager role inherits the employee role through both
the sales role and the manager role.
If each of the four roles in our example has a corresponding responsibility, then the sales manager role
would have four responsibilities: employee (inherited), sales, manager, and sales manager. Note that
even if responsibilities are duplicated within the role structure, a user sees only one of each
responsibility name in the Oracle E-Business Suite home page.
All the privileges associated with a role, such as responsibilities, permission sets, and grants, are
inherited as part of the role.
18
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
User 1 (Salesperson)
Role 1 (Sales)
Responsibility
Menu
Grant 1
Permission Set
Data Security
Role 2
Role 3
Responsibility
Grant 2
Responsibility
Responsibility
Responsibility
Menu
Permission Set
Menu
Menu
Menu
Setting up role structures can simplify the administration of users. In the diagram above, Role 1 (Sales)
is assigned directly to User 1, while Role 2 and Role 3 are assigned indirectly (inherited) by assigning
Role 1; they need not be assigned directly.
Now suppose User 2 (Sales Manager) should have all the same navigation menus and roles as User 1
(Salesperson), but User 2 should have access to additional functions on the menu in Role 1 but not
authorized by Grant 1. Role 4 (Approve Orders) can be assigned to User 2 to provide additional
authorization to functions in the menu under Role 1. Note that Role 4 does not contain any
navigation components; it only provides authorization for other components in the role structure.
This can be useful for fine-tuning authorization. For example, the salesperson can see but not approve
sales orders, but the sales manager has additional authorization to approve orders.
19
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
Role 1 (Sales)
Responsibility
Menu
Grant 1
Permission Set
Grant 4
Data Security
Permission Set
Role 2
Data Security
Role 3
Responsibility
Grant 2
Responsibility
Responsibility
Responsibility
Menu
Permission Set
Menu
Menu
Menu
20
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
21
Function Security and Role-based Access Control (RBAC) in Oracle E-Business Suite
the Grant check box for functions in menus so that you can control authorization more finely using
grants and permission sets.
Conclusion
Because RBAC involves more objects than responsibility-based security, RBAC is slightly more
complex to set up initially. However, RBAC is also more powerful and flexible than using only
function security. Once you learn to set it up, RBAC can save a lot of time and effort in the long term
by making administration of individual users and groups of users easier.
22
This document is provided for information purposes only, and the contents hereof are subject to change without notice. This
January 2013
document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in
law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This
document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our
Tadepalli
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
oracle.com
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0113